Web Healthcare Firms Must Protect Against Legal Actions
Alan C. Brown, an attorney at McKenna & Cuneo, Washington, said several more state and federal actions will be brought against dot-coms if current class action suits over alleged privacy violations are successful.
Brown cited one of the most well-known Net companies with legal trouble: DoubleClick, which has faced six class action suits over combining its online profiles with Abacus Direct's database of consumers' personal records. As a result, DoubleClick's stock has tumbled, and the Federal Trade Commission is investigating how sites collect and use customer data.
In addition, health Web sites soon will be subject to guidelines of the Health Insurance Portability and Accountability Act, which put tighter controls on patient information.
Although online health firms have not faced class action lawsuits, Brown warned about offline cases that could affect Internet firms.
For example, in Weld vs. CVS Corp., a Massachusetts judge said that patients could bring a class action suit against the CVS drug store chain, Woonsocket, RI, and drug companies that allegedly used patient's prescription information in a direct mail program.
"It is reasonable to infer that a person who imparts private medical and prescription information to a pharmacist expects that such information will be maintained in confidence," the judge said.
To avoid similar privacy suits, Brown suggests online health companies establish a privacy/security plan, forming a team from operations, human resources, legal and information systems departments. For the plan to succeed, senior management must provide the leadership, according to Brown.
The team must establish goals, which include minimizing legal risks while moving the institution into the e-healthcare era. Legal guidelines, including those from HIPAA, the FTC and state governments, must be carefully examined.
Companies also should determine whether they will face international privacy issues. "The European Union is going the road of, 'You can be sued in the country of the individual.' If you have any transaction in Europe, you're subject to be sued by someone in Europe," Brown said.
The team should ascertain whether privacy and information security are part of the company's employee training and disciplinary programs.
Online healthcare companies should define who -- such as medical personnel, accounting departments, management and patients/customers -- needs access to information, and develop a chart of information flow within the company.
Health sites that use third parties to store or transmit data should check the outside companies' security procedures, including a site inspection. "Contractual commitments may not be enough. If they lose your data, your patients/customers will blame you," Brown said.
After a privacy/security program has been established, the company should follow through with training and periodical audits of both administrative and technical procedures.